gitlab.bandit.B310-1
385
Download Count*
License
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
Run Locally
Run in CI
Defintion
rules:
- id: bandit.B310-1
patterns:
- pattern-not: urllib.$W("...")
- pattern-not: urllib.request.$W("...")
- pattern-not: $OPENER.$W("...")
- pattern-either:
- patterns:
- pattern-either:
- pattern: urllib.urlopen(...)
- pattern: urllib.request.urlopen(...)
- pattern: urllib.urlretrieve(...)
- pattern: urllib.request.urlretrieve(...)
- patterns:
- pattern-either:
- pattern-inside: |
$OPENER = urllib.URLopener(...)
...
- pattern-inside: |
$OPENER = urllib.request.URLopener(...)
...
- pattern-inside: |
$OPENER = urllib.FancyURLopener(...)
...
- pattern-inside: |
$OPENER = urllib.request.FancyURLopener(...)
...
- pattern-either:
- pattern: $OPENER.open(...)
- pattern: $OPENER.retrieve(...)
message: Detected a dynamic value being used with urllib. urllib supports
'file://' schemes, so a dynamic value controlled by a malicious actor may
allow them to read arbitrary files. Audit uses of urllib calls to ensure
user data cannot control the URLs, or consider using the 'requests'
library instead.
metadata:
cwe: "CWE-939: Improper Authorization in Handler for Custom URL Scheme"
owasp: "A5: Broken Access Control"
primary_identifier: bandit.B310-1
secondary_identifiers:
- name: Bandit Test ID B310-1
type: bandit_test_id
value: B310-1
license: MIT
severity: WARNING
languages:
- python
Short Link: https://sg.run/R8zN